AWS SAA Exam: VPC Practice Questions


What is the range of allowable IP block sizes (netmask) in AWS VPC?
/16 (largest range) to /28 (smallest range)
Can a subnet span multiple AZs?
No, but you can have multiple subnets in on AZ. Remember 1+ subnets = 1 AZ.
True/False. It is a good security practice to add a route to an internet gateway in the main route table.
False. By default, any subnet you create is associated with the main route table. If the main route table has a route to the internet, then any newly created subnet would, by default, be public.
A Private Route Table Looks Like This:

A Public Route Table Looks Like This (Has a Route to an IGW):

Why might an EC2 instance not have a public IP, or not be accessible from your browser?
To have a public IP, it needs to be in a public subnet. The auto-assign public IP should also be selected when creating the EC2 instance. Additionally, the security group must allow all HTTP traffic if you want to be able to access it from the internet. The NACL associated with the subnet that the EC2 instance resides in should not block the IP you are accessing it from with your browser on port 80 (http) or 443 (https). The route table for its subnet must have a route to an Internet Gateway (IGW). If you click "Open Address" link next to the public IP, it uses HTTPS which won't work if you haven't set up your app to use HTTPS. Copying and pasting the public IP uses unencrypted HTTP.
True/False US-East1A in your AWS account is the same physical AZ as US-East1A in another account.
False, while resources in US-East1A within your account will always share the same physical location, the AZ locations are randomized for each account. So the physical geographic location of US-East1A for you might be called US-East1B or US-East1C in someone else's account
True/False When changing the security group of an EC2 instance, you must restart the instance for the change to take effect
False, the change takes effect immediately.
True/False NAT Gateways are Multi-AZ
False, NAT gateways exist on ONE AZ with redundancy in that AZ.
What must you do to allow an EC2 instance in a private subnet to access the internet?
  • Recommended Method: Create a NAT Gateway, and set up a route traffic with public IP destinations (or 0.0.0.0/0) to the NAT Gateway.
  • Old Method: you could route such traffic to a NAT Instance instead of a NAT Gateway. However, it this is much worse. It is not highly available, it requires more management by the customer, and it can be a massive network bottleneck. You have to worry about increasing the instance size, or managing autoscaling groups for NAT instances if your network demands grow or vary. You would also have to keep the NAT instance patched and secure.
True/False A NAT Gateway should be in a public subnet.
True. The NAT gateway needs direct access to an IGW.
True/False Once NAT Gateway is created, it receives traffic with destinations with IPs like 10.*.*.* and forwards them to the internet gateway.
False, TCP/IP requests with PUBLIC destinations are forwarded to the internet gateway by the NAT Gateway.
True/False - NAT Gateways are automatically assigned a public IP.
True
True/False - When using a multi-AZ architecture which needs internet access at all times, you probably only need one NAT Gateway in your VPC.
False. NAT Gateways do not span AZs. They are AZ-specific. If the NAT Gateway's AZ goes down, it goes down as well, and if it was the only NAT Gateway in your VPC it would cause ALL private subnets and all AZs to lose internet access. To make your architecture AZ-independent, make a NAT Gateway in each AZ and set your routes to ensure that resources use the NAT in the same AZ.
True/False - If your NACL has an allow rule and a deny rule for the same IP, it will be denied because denial rules always take precedence.
False. In NACLs, rules with lower rule numbers (usually near the top of the list) take precedence over rules below them. Priority is not based on allow or deny.
In the below example, a single IP denial rule is added at the bottom. However, this will not do anything since an allow for all IPs is above it. To enable this rule, you would need to lower the rule number to increase its priority.
True/False - NACL changes take place immediately.
True
What are ports 1024 - 65535?
These are ephemeral ports used with TCP protocol by the NAT Gateway. They need to be allowed in both inbound and outbound rules for the NACL to which your NAT's public subnet is associated. These are also the ports used by requests originating from an Elastic Load Balancer.
Which should you use to block specific IPs? A security group, or a NACL?
NACL. SGs cannot block specific IPs.
True/False. For a given subnet, you can stack multiple NACLs.
False. You can associate a NACL with multiple subnets, but a subnet can only be associated with one NACL at a time.
True/False. Like with Security Groups, for NACLs if you add an inbound rule for HTTP, you don't need to add an outbound rule to ensure inbound HTTP requests get a response.
False. SGs are stateful, but NACLs are stateless - they don't remember the request that a response came from. Therefore you need both inbound and outbound rules to allow an HTTP request and response to complete.
True/False. The first four IPs and the last IP in the first created subnet in a VPC are not available for use. For all other subnets, all IPs in the CIDR block provided when creating the subnet are available.
False. The first four IPs and the last IP in EACH subnet are not available for use.
The IPs are used by:
  • 10.0.0.0: Network address.
  • 10.0.0.1: Reserved by AWS for the VPC router.
  • 10.0.0.2: Reserved by AWS. The IP address of the DNS server is the base of the VPC network range plus two. For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR. We also reserve the base of each subnet range plus two for all CIDR blocks in the VPC. For more information, see Amazon DNS server.
  • 10.0.0.3: Reserved by AWS for future use.
  • 10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address.
How many Internet Gateways (IGWs) can you have per VPC?
Just one.
True/False. You can add an additional Security Group, or remove a SG from a running EC2 instance and the change takes effect immediately.
True
True/False. When you create a new Network Access Control List (NACL), it denies everything by default.
True
For a CIDR block containing only one IP, what should it end with?
				A. /1
				B. /16
				C. /28
				D. /32
				
/32. See https://cidr.xyz/ to convert CIDR blocks to ranges.
How many subnets do you need to provision a load balancer?
				A. Just one subnet.
				B. At least two public or private subnets.
				C. At least two public subnets, from different availablity zones.
				D. One public subnet and one private subnet.
				
C. At least two public subnets from different availablity zones.
Flow Log Data is stored using....
				A. Cloudwatch Logs
				B. Cloudtrail logs
				C. VPC Flow Logs
				D. ELB Logs
				
A. Flow Log data is published to either Cloudwatch logs or S3.
Flow logs can be at which level? (choose all that apply)
				A. Organizational Unit Level
				B. VPC Level
				C. Subnet Level
				D. Network Interface Level
				
B, C, and D
True/False. You cannot enable flow logs for peered VPCs unless the peered VPC is in the same AWS account.
True
True/False - you can ssh into your private EC2 instances through a NAT Gateway.
False. You would need a bastion host for this.
Using AWS Global Accelerator, how can you control the flow of traffic to different endpoints? (choose all that are true)
				A. Using traffic dial percentages, you can control traffic to different regions.
				B. You can use traffic dial to control traffic to specific endpoints without using endpoint groups.
				C. You can use endpoint weights to control how much traffic goes to specific endpoints in an endpoint group.
				D. You can use traffic dials to direct traffic cross-region or completely stop traffic to a region.
				
A, C, and D are all correct.
If you are connecting to S3 from private ec2 instance with a NAT Gateway, using alot of data and incurring charges, how can you continue to connect to S3 without traversing the internet and save money?
Use a VPC Endpoint
For connecting privately to SQS, should you use a Gateway or Interface Endpoint?
Interface Endpoint
For connecting privately to DynamoDB, should you use a Gateway or Interface Endpoint
Gateway Endpoint
PrivateLink requires:
				A. NLB in service VPC & ENI on customer VPC
				B. ALB in service VPC & ENI on customer VPC
				C. ENI in service VPC & ALB on customer VPC
				D. ENI in service VPC & NLB on customer VPC
				
A is correct.
If you have hundreds of VPCs, and you want to connect entire VPC network of each VPC to each other VPC, which could you use to maintain security? (Select Two)
				A. A PrivateLink connection
				B. VPC Peering 
				C. An Internet Gateway
				D. Transit Gateway
				
B and D are correct. VPC Endpoints or PrivateLink only apply to one service, not the whole network. An internet gateway is less secure. VPC Peering connects the entire VPC to another VPC. Transit gateway uses a hub-and-spoke model to easily set up VPC Peering for many VPCs.
T/F VPC Peering and Transit Gateway can be used across different accounts.
True
You have two VPCs peered, with instances in many different subnets which all communicate with eachother, and which don't need internet acccess. The VPCs and instances don't really contain anything that needs to be isolated for security purposes. Which two ways can you reduce the network data transfer costs the most?
				A. Use PrivateLink to connect the instances.
				B. Merge two VPCs into one.
				C. Put all the instances in one private subnet in one AZ.
				D. Set up Transit Gateway for the VPCs.
				
B and C are correct. Traffic across VPCs incurs charges as does traffic across different AZs. PrivateLink has its own charges.
What part of Global Accelerator services the static IP addresses for the accelerator from a unique subnet?
Network Zone - Similar to an availability zone, a network zone is an isolated unit with its own set of physical architecture. Two IP addresses are provided in case one IP becomes unavailable due to IP address blocking or network issues. Clients can retry on the healthy static IP.
T/F an egress-only IGW allows all IPv4 and IPv6 traffic out to the internet, but does not allow any IPv4 or IPv6 traffic in to the VPC.
False. Egress-only internet gateways use IPv6 only. IPv4 traffic is not enabled by an egress-only IGW. The purpose of an egress-only IGW is to block incoming IPv6 traffic but allow outgoing IPv6 traffic.
A VPN connection consists of which two of the following components?
				A. Gateway Endpoint
				B. Customer Gateway
				C. Virtual Private Gateway
				D. Interface Endpoint
				
B and C. A virtual private gateway sits at the edge of your VPC. A customer gateway sits on-premises.